this is the place that made nerd cool the most popular password in the United States is password123 those are some of my previous passwords who on Earth would actually fall for that I'm sensitive information has been sort of given to the wrong hands hello everyone and welcome back to another episode of the security repo so I'm really happy uh that we have a special guest with us today which is Will Kelly and also uh we have a new permanent fixture on the podcast which is uh my partner in crime now Dwayne McDaniel uh so uh we'll I'll start with you can you tell us a little bit about yourself uh and your background and of course welcome oh thank you Mackenzie my name is Will Kelly I'm a freelance writer focused on devops and the cloud among many things I'm a correspondent for red Hat's open source.com and my articles about devops and Cloud frequently appear on on on Tech Target prior to that I worked in marketing for two startups and got my start as a technical writer on development and solution architecture teams and I'm excited to be here awesome well it's awesome to have you here and uh yeah you're going to bring some interesting insights to us and Dwayne as your first time on uh this podcast officially uh could you give us a little bit of a rundown about you and your background thanks very much Mackenzie I'm excited to be here and thanks for your being the guest on my Premiere episode will very excited to have you as well um so I'm Dwayne McDaniel I live in Chicago I work for git Garden I'm a developer Advocate same as McKenzie um so you'll see me out there speaking at various events around the world uh mostly in the US though uh you can find my writings on our blog I've been writing a lot since I joined the company uh and putting together things like this so very excited I'm learning a lot um well I've been to devrel since about 2015. I was given a lot of talks on a lot of subjects I'm fairly still fresh to the security world I've talked a lot about Security in past talks but to live in it day in day out breathing and it's a there's a lot to learn so it's a very exciting ride I'm just happy to be here yeah well I mean that's uh that's part of the reason why we do the podcast is because um uh I'm I'm selfish and I want to learn about Tiffany areas and security too and why not broadcast it so we're all here learning but one thing that I'm I'm excited and specifically to kind of dive into a little bit of will because I've read some of your your articles um particularly on the red hat side you've spoken a lot about Dev secops so this is a fairly new term right we love acronyms and security and sometimes acronyms get thrown around by marketing companies to try and make it out but what in your perspective what is Dev stick up I look at devsec ops two ways the first way is if you have an Enterprise that has already made Moves In the devops bringing their development teams and operation teams together and breaking down those silos it's bringing security into that into that devops life cycle and processes so it's automated scanning it's scanning code it right it's scanning in production it's security at every phase it was a part of the devops discussion that was missing in the early days unfortunately if you look the second way I look at it is for companies that are moving from traditional waterfall software development life cycle or ad hoc life cycles they built themselves it's moving to a more iterative life cycle following devops principles and putting in security at each step of that process to ensure that they're releasing secure and compliance software on a regular Cadence right so it's kind of an evolution of devops is it is it hard to kind of we're talking about just kind of what is div stick off is this something that like smaller companies startups or should be focused on to grow from or is it something that larger companies can should be trying to adapt and change a little bit like who what what's the conversation geared at here the conversations I I've been privy to along the way through the course of Articles and some other projects have been first of all to take a step back I see that devsec Ops is going to subsume the devops conversation entirely in the next couple of years smaller startups that are starting from scratch are ideal candidates just to move straight to a dubsecops model even the federal go and if you look at large Enterprises even the federal government and parts of the Department of Defense have moved to dubsecop's models for for that continuous release of secure software granted larger Enterprises have the resources the people the funding for training and an addition of new tools so they're probably going to be in positions where they're starting small and expanding out a couple of teams are going to move to a devsecops model they're going to build on those successes internally they're going to sell those successes and then if everything works right that's how adoption picks up across a large Enterprise really interesting um you would say new organizations just need to start with this uh could you talk a little bit about like why you think that is the real advantages over this uh this approach versus you know starting small starting you know traditional ways let's take a let's take a traditional series a startup for our for example you may have 30 or 40 people 10 or 15 developers if not a little bit more you have a clean slate you're still small but you also have two big challenges on top of you one is customers now are expecting secure software you're putting in those security practices to your development life cycle on day one while you're also still maintaining your delivery velocity I think the days are gone for everybody where security is the last stop on the development life cycle train before release there's just too much going on right right now as far as attacks as far as volume or abilities that are out there in open source code and proprietary code the that speed of release that continuous scanning that's the few that's the future in in my eyes foreign that makes perfect sense for you know more of the green fields of smaller organizations and I think this leads into one of the questions we wanted to get into um was around really how to get to that culture of of devsecops uh especially in larger organizations because you mentioned the federal government very large organizations are starting to adopt this um how do we go about that um go about the process of adopting this culture I I I'm not gonna say that it's not it's challenging guys but the the challenge is you have to split them up between culture and practices and and Technology if if you look at a large Enterprise such as parts of the United States Air Force it's been started on one major project and then we build upon those successes whether you're a federal government agency or you're a large Enterprise you need to have that devsecops champion somebody at at least the executive level and that's going to be somebody that has the most to gain or lose because of devsec Ops we'll take for example um you could have a devsecops champion that could be your VP of sales or or another customer facing roles because that person may have had deals Escape their hands because security was not there you may have the traditional Ally of the CSO who is has more pressure now for security and compliance over their internal systems and the software that's being released than ever before you have the people down at the development teams I'm not even talking at the director level the the people who are down there doing the work who are looking for better ways of doing things they've either been burned because of security vulnerabilities in in the past or they're being forced to do more with less so they need to put in the automation they need to put it in in the practices where um security is part of that development train there's also you have to look at the traditional security versus developer cultures that are out there I I think we've all been in organizations where the security team was the department of no or the security team was siled off sometimes by Design or just by internal politics that part of that devsecops culture is bringing them further into the development life cycle than they've ever had been before some organizations are going to have resource issues and Staffing that's when you put in the tools to be able to give your security team a view in the what's going on as far as vulnerabilities initiatives going on in the development life cycle that's where automation comes in that's where the reporting comes in that's where making security part of day one of your project is essential for for moving to devs SEC Ops it's also bringing in that training for secure coding and other security best practices to your developers it's not the intentions should not be to have your developers double as your security team it's to build the complementary skill sets where your security team and your development teams can work better together and closer than they've ever had before I found in my technical writing days that sometimes a lot of teams just don't talk to each other really no no way yeah no I know I'm not telling you guys what's wrong I already don't know but I'm saying it also in the sense of it's a lot of people who don't understand what another team's jobs are and it was a classical thing I always thought when I was a technical writer it would be like well I'm a developer I don't want to go talk to him send the technical writer whether it was a review of documentation whether it was interviewing them to get their information for our for our document one hand didn't know what the other hand was doing and devsec Ops can help relieve that inside Enterprises it's not something that's going to happen overnight it's going to be something that you're gonna have to build that internal constituency those internal Champions at all levels start on those smaller projects and build out and you're giving both teams tools and processes and practices to relieve some of that increasing pressure that the current ERA of security and compliance is bringing down on large and small Enterprises in the commercial and public sector alike there's there's so much in that that uh that was was fantastic I'm going to dive into a couple of them but you know just at the end you're talking about you know siled teams one thing that I've really found is that teams that are siled often don't even know that they started because they haven't been in an environment where people actually talk together so you know like they they don't even uh they don't even kind of know what the possibility is but I I want to go back to the start of of what you were saying in that now you're talking about a champion a devsecops champion and what I want to kind of uh ask you now is if we're that champion now we may be an executive we may be in the sales team as you said we may be a developer or product manager we could be anyone so what what are the fundamental steps that we can do to start championing internally for devsecops to bring to bring awareness how do we how do we shift the conversation so it actually gets to someone that can start implementing change as a culture you have to first start at recognizing your current and future security challenges that that your teams are facing we'll say we'll say let's take an example of one of your competitors has suffered a vulner a vulnerability or a breach it could happen to you it could happen everybody that is an arrow you need to put in in your quiver you have to be very conscious of where security Trends are going in your vertical Market you you have to be able to tie those to business by business I mean if we move to more secure development practices that's good that's going to help us reach more security and compliance conscious customers becomes part of our customer story also you have to look at the cost that your company is going through for security and compliance programs if we're being proactive and taking care of a lot of stuff during the development life cycle it should be less work to do by the time the Auditors come you have to look at the reporting and the information that you can deliver to your Executives your CSO your CTO so when the word comes down from the executives or the board we want to know about we want to know about the vulnerabilities in your software we want to know about the current state of security you can tell them the story and especially if you have the reporting Tools in place from the day your project starts until it goes into production and every release after that you you have to find the proactive nature of your organization which can be hard and I've seen that not work and when I've seen it work it's been tying it to money and business and sometimes that and sometimes that can be hard if you're on the development team side but if you have contact with somebody in sales if you have contact with somebody in product those are the Allies you build into that sort of team of Champions that gets the move to devsecops noticed by your Executives and the people who can sign the purchase orders yeah I liked what you're saying about the arrow in the quiver and and then when you start building these allies I guess you call them I mean everyone has different arrows in their quiver the sales teams are going to be able to provide you with information about where Securities letting them down in that sales cycle you bring in the recent news stories of a competitor I mean like you got to take advantage of those critical moments you know you know that that you can actually move because everyone's starting to think it we've all seen the meme right the the data the the security budget before a breach of security budget after the beaten Bridge you know but that doesn't have to be your breach this has to be a breach you know it could be someone else's breach um and then starting to bring on that makes a lot of sense so to bring on these people because we had a question that I've written down is like how do you get exact buy-in and I think you answered that a lot going down there because you know it's about building up building up enough of a story across enough for a branch that it's it becomes a no-brainer to do this um yeah and then I guess to build it out practically in a single project it's probably it's probably going to be a journey you're not going to become exactly I I I've done a lot of writing on devops to devsecops transfer information it really ends up being the next step in that devops Journey that building of allies comes down to you have to be conscious of what the major stakeholders have to gain if you move to devsecops and most of all what they could lose and some people are are against fear uncertainty and doubt but you can't but there are so many Executives that are under even more pressure now because of the current security climate out there um actually that's pretty good Segways the current security climate um because one thing we did want to ask you before we um you know run out of time today uh is a look at uh this supply chain security or look at supply chain security um and the role of devsec Ops in there I know that's something you've written about um something you have some pretty strong opinions about so I was hoping you could give us a lay of the land on what what even is supply chain security what's really interesting right now is to me my interpretation and my view of software Supply chains security is it's just another extension of devsecops practices outside to your your your suppliers software supply chain security is big is really on Trend right right now large Enterprises have to acknowledge the fact that while there's a lot of great work being done out there is a lot of this some some of these series a software security startups aren't going to make it they're not going to make it through the current economic climb a lot I expect that some of those series a startups are going to go away however devsecop's practices aren't you're going to want to be assessing the security and trustworthiness of the code that's entering your software whether it's open source or whether it's proprietary code from A supplier that automation of a devsecops tool chain and those practices is ideal for for that the rating of secure and proprietary code a move to devsecops is already introducing those practices with your developers it just takes working with suppliers and contractors and vendors that take a similar approach and working with your supply people and your procurement people to make sure that's part of contracts granted it's not a perfect approach but software supply chain Security in in the future I do expect the due diligence of suppliers is only going to increase that there's also that continuous testing and monitoring that stuff you're already doing in your devsecops tool chains and there's a generation of the software bill of materials that set some people call it a list of ingredients I equate it to like a bill of materials for a car or a house you can already automate there's already devsecops tools out there that can automate the generation and monitoring of those builds of materials so you can see is something being introduced in your software supply chain is not supposed to be there uh just a quick follow-up on that it's interesting that you talk about that feedback loop between vendor and customer there um almost sounds like an extension of the devops philosophy itself which was really set out to shorten that feedback loop between Ops but now it's just keep the ball keeps expanding it is there's gonna have to be better collaboration with vendors that that might be a culture shock to some corporations the days of sort of pushing that contractor into the corner and say stay over there and do your work and that's got to change and and that goes both in the government side and and in the commercial side so devsec Ops practices is going to bring more cup more collaboration Mark around your visibility into your suppliers that that should be the intended outcome it's not going to be an overnight transformation it's going to be something that again you're probably going to have to start small you're going to probably have to talk to your most trusted vendors and suppliers and bring them in on your initiatives because again it goes to those vendors have something to gain and something to lose depending on how they follow those practices how do you I mean how do you start that conversation with vendors and how involved because that I mean like that that can be dealing with vendors can be uh various different experiences depending on how much money you're putting out and how demanding you are and I think when it comes down when it comes down to I I'm also a believer that devops and Dev sick ops affects more of the business than just your developer security and your operations people you have to bring in your technical contact with that vendor you have to work with your procurement people if you have a strategic alliances program and those vendors are part of that program is get them involved we're in a world where every where everybody wants to make money you have to tune it into that or could some small vendors follow by the wayside yeah it's not a perfect situation but extending those development practices there's going to be a lot of controversy out out there through self out of state at a station I always get that word mixed up that that you're following certain practices that's why you want to start small with your mistrusted vendors and build out build those allies build those alliances and and you're gonna stumble you're gonna fall with vendors then you see how vested everybody is in that business relationship yeah I mean it's going to be something that we we're all going to have to adopt but I mean like there's been a lot of key takeaways here but I think um you know finding those Champions putting it together starting small be able to deliver on on something and make it part of uh you know an unshakable business proposal to the to the to the to the powers that be you know is is fundamental and then going through those Tools of Change embracing you know and embracing some different tools and actually making the work along the way um yeah I well sorry go for it go for it I look to the future I actually see the legal team and the procurement team playing part-time roles in the future of devops and devsecops and software Supply chains security people who completely aren't developers are inevitably going to play their supporting roles and software took in the future of software supply chain security is where you're going to see it because sometimes the only way to enforce things is contractually it's gonna and reality is pro Dev sick ops League I've been weird about everyone that all the teams that come into it um well we're running out of time but it's been really fascinating Dwayne do you have any uh final final questions that you want to to fire at will before we start to wrap up I mean I could ask about three or four or more hours of questions to you will it's always nice to talk about someone knowledgeable or talk with someone knowledgeable about these things um just a comment though uh it sounds very much with that that last comment you made about lawyers and procurement that uh the worry of security the um responsibility of it just keeps expanding and expanding that it is security really just everyone's job at this point everybody's job now and the evolution of devops to devsec Ops to software Supply chains security is not just the job of your development teams your security teams and your operations teams it's also the teams outside that support them like like your legal department like your procurement Department like your strategic alliances people it's secure it makes security is everybody's job and the organizations that get devsecops right in in the future are the ones that are going to acknowledge that full team effort that's awesome I think that was one of my favorite questions of the podcast they are going through and that's and then that actually describes perfectly where we all need to head and we need to create these these synchronizations between these silos and kind of decouple the organizations make it make it much more uh much more broad so everyone's communicating that's how we're going to solve the security issues that we're facing today exactly well we'll uh I want to thank you again so much for joining in uh here I know that you're a prolific contributor to many different uh many different areas but if people want to kind of follow you read some of your work and dive a bit deeper what's the best place that they can um keep and keep in contact with you or or what find some of your work you can find me on Twitter or LinkedIn on Twitter I'm at will Kelly and on LinkedIn um it's w-i-l-l-k-e-l-l-i probably would need it edit that I'm not sure I'm saying that the way you're supposed to I'm easy enough to find online definitely and I would also recommend um if this has been an interesting topic for you uh to to go on to the the red hat blog where we'll uh contributes a lot to and there's some great articles specifically around devsecops um where you will find links to those articles in the descriptions of the of the show so uh will One Last Time thank you so much for coming it's been a very informative uh conversation and one that I think will generate a much more difficult conversations and one that we hope we can spark within organizations so thank you again thank you Beth for having me and I'd like to thank Amy tune Heinlein for hooking us up and then she's mutual friend of ours so I think he has this was a lot of fun